+ 44 (0) 207 397 2770
open-menu

Data Protection and Privacy Policy

  • In 2014, we became the first company in the language service industry to achieve ISO:27001 certification for our Information Security Management System
  • We take data security and privacy very seriously and have 131 controls in place to protect data 
Contact us
Data Protection and Privacy Policy

This document defines Guildhawk’s approach to data protection and privacy, including compliance with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection legislation.

Supporting Controls

This policy is supported by Guildhawk’s Business Management System (BMS), including controls for information classification and handling, access control, incident management, risk management, service delivery, business continuity and records retention.

Data Protection Officer
Guildhawk has appointed a Data Protection Officer (DPO) to oversee compliance with data protection and privacy obligations. The role of Data Protection Officer is currently held by the Head of Business Operations.

The DPO can be contacted at: operations@guildhawk.com

Data Storage and Transfer

    • Data is primarily stored in virtual servers provisioned through Microsoft Azure cloud infrastructure with datacentre located in London, United Kingdom, with secondary back-up locations available in Amsterdam, the Netherlands in case of outage.
    • Guildhawk also utilises approved third-party service providers to support business operations. Where such providers are used, personal data may be stored and processed within the European Economic Area (EEA), in line with the provider’s data hosting arrangements.
    • All third-party providers are subject to due diligence, contractual data protection obligations and appropriate safeguards to ensure compliance with UK GDPR, including recognised data transfer mechanisms.
    • Data is transferred using either the Guildhawk email domain or via an ISO27001 certified data sharing site – Box or OneDrive.
    • CAT tools are used, with data remaining on internal servers; Usage of google translate or other open-source machine translation engines are prohibited.
    • All staff have signed NDAs and T&Cs which specify appropriate usage of IT equipment and data.
    • All third party linguists have signed NDAs and T&Cs which confirm their obligation to transfer data via specified routes and to destroy all data once transfer has been made.
    • All IT systems have robust access control procedures in place, including Multi Factor Authentication.

Data Integrity 

    • Annual penetration tests are undertaken.
    • Emails are encrypted using FIPS 140-2 certified software.
    • All data processing facilities have appropriate anti-malware and anti-virus protection.

Data Confidentiality

    • Client quotes include a statement highlighting that by accepting our quote the client is granting permission for Guildhawk to act as a data processor for their own or their client’s data.
    • Credit card details are destroyed upon usage.
    • All staff opt-in to their personal data being processed.
    • All Vendors opt-in to their personal data being processed.

Data Access

    • Data subjects have the right to request access to their personal data and supplementary information. These requests are known as Data Subject Access Requests.
    • The Staff handbook cites this right under Appendix 1.
    • Supplier T&Cs cite this right under Appendix 1.
    • Client T&Cs cite this right under clause 12.11.
    • All data access requests are subject to verification of the identity of the requestor.
    • Information must be provided to data subjects within the statutory timeframe (normally one month), subject to permitted extensions under applicable data protection law.

Data Retention and Deletion

    • Guildhawk retains personal data only for as long as necessary to meet legal, contractual and business requirements. Retention periods for records that may contain personal data are defined in the Records Retention Schedule.
    • Personal data is securely deleted or anonymised once it is no longer required, unless earlier deletion is requested and approved in accordance with data protection obligations, including the right to erasure.

Data Subject Rights

    • Individuals whose personal data is processed by Guildhawk have rights under applicable data protection legislation. These include, where applicable, the right to access, rectify or erase personal data, to restrict or object to processing, and to exercise other rights available under law.
    • Requests to exercise data subject rights can be made to Guildhawk’s Data Protection Officer using the published contact details. Guildhawk will respond to data subject requests within the statutory timeframe (normally one month), subject to permitted extensions under applicable data protection law.
    • Where a valid request for erasure is received, personal data will be deleted or anonymised unless retention is required for legal, contractual or legitimate business purposes, in line with data protection obligations and defined retention requirements.

Purpose of Processing

Guildhawk processes personal data for purposes connected with the provision, operation and support of its services, including both projectbased services and softwareasaservice (SaaS) platform offerings, as well as the management of client, user and supplier relationships and the operation of its business. This includes, as applicable:

    • delivering contracted services and managing related projects;
    • operating, supporting and maintaining SaaS platforms and associated user accounts;
    • providing technical support, service management and customer communications;
    • meeting contractual, legal and regulatory obligations;
    • managing business operations, administration and finance;
    • maintaining information security, quality assurance and compliance; and
    • supporting recruitment, employment and supplier engagement activities.

Personal data is processed only for purposes that are lawful, transparent and relevant to Guildhawk’s role as a data controller and, where applicable, as a data processor acting on behalf of clients.

Types of Personal Data Processed

Depending on the nature of the service provided, Guildhawk may process the following categories of personal data:

    • identification and contact details (such as names, email addresses, job titles and contact information);
    • client, user and account information related to the use of Guildhawk services, including SaaS platform access;
    • commercial and contractual information relating to clients, suppliers and partners;
    • project, service delivery and support‑related information that may include personal data;
    • employment, recruitment and contractor‑related information;
    • technical and security‑related information generated through the use and administration of systems (for example access logs and audit records).

Where required, Guildhawk may also process personal data on behalf of clients as a data processor, in accordance with client instructions, contractual arrangements and applicable data protection obligations. Where required by the nature of the service or client instruction, Guildhawk may process special‑category personal data on behalf of clients, subject to appropriate safeguards and contractual controls.

Lawful Basis for Processing

Guildhawk processes personal data only where a lawful basis applies, in accordance with applicable data protection legislation. Depending on the context and Guildhawk’s role as a data controller or data processor, the lawful bases relied upon may include:

    • Performance of a contract, where processing is necessary to deliver services or fulfil contractual obligations;
    • Legitimate interests, where processing is necessary for Guildhawk’s business operations and those interests are not overridden by the rights and freedoms of individuals;
    • Consent, where individuals have given clear consent for specific processing activities;
    • Compliance with a legal obligation, where processing is required by law or regulation; and
    • Other lawful bases, where applicable, such as vital interests or tasks carried out in the public interest.

Where Guildhawk acts as a data processor, personal data is processed in accordance with client instructions and the lawful basis determined by the relevant data controller.

Where required by clients or by the nature of the service, Guildhawk applies specific data‑processing constraints (such as access, jurisdiction or transfer restrictions) in accordance with contractual arrangements, risk assessments and applicable data protection obligations.

ATC_2025-2 EUATC_logo_2025 guildhawk-iso27001 guildhawk-iso9001 Armed force covenant_logo SSEAs_2025-Winner-Logo-Stacked-1